We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Detect whether "include inheritable permissions from this objects parent" for an active directory user object is checked for users

Medium Priority
2,024 Views
Last Modified: 2012-08-14
I need to generate a report of users for whom this checkbox is checked and is not checked. I would like to see if I can detect this programmatically using a power shell script. Could someone please show me how?
Comment
Watch Question

Commented:
This one-liner uses Quest's AD Snapin and shows users with inheritance broken:

Get-QADUser -SizeLimit 0 | ?{$_.security.PermissionInheritanceLocked}

If you would like to see a full report:

Get-QADUser -SizeLimit 0 | Select-Object name, dn, @{n="InheritanceBroken";e={$_.security.PermissionInheritanceLocked}}

Author

Commented:
I can't install additional tools like Quest's on the machine. How can one do this with PowerShell alone on W2k8 R2?
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
And an R2 Active Directory Module solution:
Import-Module activedirectory
cd ad:
Get-ADUser -Filter {enabled -eq $true} | %{
    $user = $_
    $blocked = Get-Item $user.distinguishedname | %{get-acl $_.pspath} | %{$_.areaccessrulesprotected}
    New-Object -TypeName PSObject -Property @{
        name = $user.name
        DN = $user.distinguishedname
        BlockedInheritance = $blocked
    }
}

Open in new window

Author

Commented:
I tried this and I got the error "unable to find a default server with active directory Web services running."

Any thoughts on that?

Thanks again for your help.

Commented:
Check the status of the Active Directory Web Service and start it on the DC.

Author

Commented:
I logged on to the domain controller and did not find any service with this name.

Just so it's clear, the domain controller is 2003. The machine from which I am running the powershell script is 2008 R2.

Commented:
I see, in this case my solution @ID:35435961 should work.

Author

Commented:
Great!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.